Data Processing Agreement

This Data Processing Agreement (the "DPA") supplements the Terms of Use between you ("Merchant", "Controller") and Shubh Pranamya (the operator of CrawlWithAI, "Processor", "we", "us"). It applies where you process personal data of EU or UK data subjects as a controller and CrawlWithAI processes that data on your behalf.

By installing or continuing to use the CrawlWithAI Shopify app, you accept this DPA as a binding part of the agreement. If your organisation requires a counter-signed copy on letterhead, email support@crawlwithai.com with your details and we will return one.

This is a v1 template. It is provided to satisfy the immediate practical need for App Store submission and standard B2B merchant install flows. We recommend any merchant with enterprise data-protection requirements (large EU shopper volume, regulated industry, etc.) ask their counsel to review it before relying on it for that scale.

Controller: you, the Shopify merchant who installed the CrawlWithAI app on your Shopify store.

Processor: Shubh Pranamya, a business registered in Mumbai, India. Registered office: Shop No. 33, Ashoka Palace, Makrani Pada Road, Malad East, Mumbai 400097, India. GSTIN: 27AFIFS3251E1Z1. Contact: support@crawlwithai.com.

We are a Processor in respect of shopper personal data processed via your storefront. We are an independent Controller in respect of your merchant account data (which you provided to us directly).

Subject matter. Processing of shopper personal data (as described in section 4) to deliver the AI Network, Sales AI widget, AI Mapping, AI Optimizer, AI Orders, and Multi-Protocol Reach features of the CrawlWithAI Shopify app to you.

Duration. For as long as the CrawlWithAI app is installed on your Shopify store, plus the retention windows in our Privacy Policy section 6. On uninstall, Shopify sends us a shop/redact webhook within 48 hours and we permanently delete all data tied to your shop.

Nature of processing: collection, structured storage, indexed retrieval, semantic search, AI-assisted recommendation, encryption, hashing, transmission to named sub-processors (see section 7), pseudonymisation, retention-limited storage, and deletion.

Purpose: to operate the CrawlWithAI service as described in the Terms of Use.

Categories of data subjects:

• Your shoppers (consumers of your Shopify storefront).
• AI agents acting on behalf of your shoppers (LLMs, AI assistants).

Categories of personal data:

• Truncated SHA-256 hash of the shopper's IP address (the raw IP is never stored).
• Session and visitor cookie IDs.
• Referer and User-Agent strings (used for AI source attribution).
• Shopify-issued numeric customer ID (only when a sale completes; not on browsing).
• Sales AI widget chat transcripts (with emails and formatted phone numbers stripped server-side before storage and before transmission to Anthropic). Retained 90 days.
• GA4 client ID (only when the merchant has connected their own GA4 property).

We do not process: shopper names, email addresses, postal addresses, raw phone numbers, payment card details, government IDs, or any "special category" data under Art. 9 GDPR.

We will:

• Process only on your instructions. Your installation of the app, and your configuration of its features in the Shopify admin, constitute your instructions. We will not process shopper personal data for any other purpose.
• Ensure confidentiality. The operator (Shubh Pranamya) and any contractors with access to shopper personal data are bound by confidentiality obligations.
• Implement appropriate security. See section 6.
• Engage sub-processors only under section 7.
• Assist you with data subject requests. Where you receive a request from a shopper concerning data we process on your behalf (access, rectification, erasure, restriction, portability, objection), we will provide reasonable assistance within five business days of your email at support@crawlwithai.com.
• Assist with DPIA and prior consultation. If you conduct a Data Protection Impact Assessment under Art. 35 GDPR for processing involving the CrawlWithAI app, we will provide the technical information you reasonably need.
• Notify you of breaches. See section 8.
• Delete or return data on termination. See section 9.
• Make available the information necessary to demonstrate compliance. The Privacy Policy, this DPA, the public sub-processor list, and our security disclosures are the primary artifacts; we will respond to reasonable questions from you in writing.

• Encryption in transit: TLS 1.2 or higher on all traffic.
• Encryption at rest: AES-256 on the PostgreSQL database hosted on Railway in the EU region.
• IP hashing: raw IP addresses are never written to disk. The IP is SHA-256 hashed with a non-public salt and truncated to 16 hex characters before storage.
• API key hashing: we store scrypt hashes only. Plaintext keys are shown once at creation and discarded.
• OAuth tokens: Shopify access tokens are stored encrypted; never logged.
• Access control: production database access is restricted to the operator. No third party has direct database access.
• Server-side PII strip: emails and formatted phone numbers are stripped from shopper widget messages before any sub-processor or persistence write.
• Retention enforcement: automated daily job deletes Sales AI widget messages older than 90 days.
• Shopify-mandatory privacy webhooks: customers/data_request, customers/redact, and shop/redact are implemented and acted on within 30 days.

You authorise us to engage the sub-processors listed in our Privacy Policy section 5. The current list, kept up to date there, is: Shopify Inc., Anthropic PBC, Voyage AI Innovations Inc., Google LLC (GA4 Measurement Protocol, optional), Microsoft (IndexNow), Railway Corporation, and Open Exchange Rates.

We will provide at least 30 days' prior notice by email (to the address on your Shopify account) before engaging a new sub-processor or replacing an existing one. If you object to the change on reasonable data-protection grounds, you may terminate the agreement under the cancellation provisions in the Terms before the new sub-processor goes live. Continued use of the app after the 30-day notice period constitutes consent to the new sub-processor.

Each sub-processor is bound by data-protection obligations no less protective than this DPA, via Standard Contractual Clauses or equivalent (see section 11 on international transfers).

If we become aware of a personal data breach affecting shopper personal data processed on your behalf, we will notify you without undue delay and at the latest within 72 hours of detection. The notification will describe the nature of the breach, the categories and approximate number of data subjects and records affected, the likely consequences, and the measures we have taken or propose to take to address it.

If you are required under Art. 33 GDPR to notify a supervisory authority or affected data subjects, we will provide reasonable cooperation with that process.

On termination of the agreement (you uninstall the app, you delete your Shopify store, or you ask us to delete your data outside the uninstall flow), we will:

• Permanently delete all shopper personal data processed on your behalf within 48 hours of receiving Shopify's shop/redact webhook, or within five business days of an out-of-band deletion request from you.
• Cascade-delete across our database (currently 30+ tables, see the shop/redact webhook handler in our codebase).
• Confirm completion to you in writing if you request confirmation.

We do not retain shopper personal data for archival or analytics purposes after termination. The only exception is encrypted backups, which roll over on a 14-day cycle and are also subject to encryption at rest.

We will provide you, on reasonable written request and not more than once per calendar year, with information necessary to demonstrate compliance with this DPA. The primary artifacts are: the Privacy Policy, this DPA, the sub-processor list, the published security disclosures, and (where applicable) the most recent third-party security review or attestation.

On-site audits and document reviews beyond these artifacts will be considered on a case-by-case basis. Where they are requested, you bear the reasonable cost of conducting the audit, and the audit is subject to a mutually-agreed scope, schedule, and confidentiality undertaking.

We host the application servers and database in the European Union (Railway, EU region). Several sub-processors are located in the United States: Anthropic, Voyage AI, Google (GA4), Microsoft (IndexNow). Shopify operates globally with headquarters in Canada (subject to the European Commission's adequacy decision).

For each transfer of personal data outside the EEA or UK, we rely on the appropriate transfer mechanism, as described in our Privacy Policy section "International data transfers":

• European Commission adequacy decisions where they apply.
• Standard Contractual Clauses (Module Two: controller to processor) adopted by the European Commission, where adequacy does not apply.
• The UK International Data Transfer Addendum to the SCCs for UK data subjects.

The SCCs and any applicable Addendum are incorporated by reference into this DPA. You and we are each parties to those SCCs by virtue of accepting this DPA, in the roles of data exporter (you) and data importer (us).

This DPA is governed by the laws of India to the extent the matter is not exclusively governed by EU or UK law. Where EU or UK law applies (for example, where the data subject is located in the EEA or UK), the relevant data-protection law takes precedence over the governing-law clause for matters within its scope.

For material changes to this DPA, we will post the update on this page, change the effective date below, and email merchants on file at least 30 days before the change takes effect. Continued use of the App after the effective date constitutes acceptance.

Privacy, data-protection, and DPA queries: support@crawlwithai.com.

Postal address for written notices: Shubh Pranamya, Shop No. 33, Ashoka Palace, Makrani Pada Road, Malad East, Mumbai 400097, India. GSTIN 27AFIFS3251E1Z1.